The XPocalypse is upon us: Windows XP support has ended

Without patches, it's inevitable that systems are going to get pwned.

It's finally here. After 12 years, 6 months, and 12 days on the market, Windows XP has hit its end of life. It will receive its last ever set of patches on Windows Update today (or "Woo" as Microsoft remarkably pronounces it internally), and for the most part, that will be that. Any flaws discovered from now on—and it's inevitable that some will be discovered—will never be publicly patched.

How bad is this going to be? It's probably going to be pretty bad. By some measures, about 28 percent of the Web-using public is still using Windows XP, and these systems are going to be ripe for exploitation.

While we can hope that personal firewalls and NAT systems will prevent any kind of Code Red or Nimda-style self-propagating worm from infecting these systems, exploitation through the likes of malicious e-mail attachments, Office documents, USB keys, and browsers is inevitable.

In fact, some lesser-publicized support changes are likely to exacerbate the situation. Office 2003, released October 21, 2003, is also having its support ended today. And although Internet Explorer 7 and 8 were both released after Windows XP—and will continue to be supported on Windows Vista and Windows 7—they too are no longer supported on Windows XP and will no longer get patches.

Google and Mozilla will continue to support Chrome and Firefox on Windows XP for at least one year. Similarly, some antivirus software will continue to receive definition updates, including Microsoft's own Security Essentials. But these are small efforts to patch a ship that will be holed repeatedly below the waterline.

We can expect to see the usual range of malware running on exploited machines. That malware will be a threat to the machines' users, of course, with exploits that can spy on them and compromise passwords, banking details, and so on. But more problematically, it will also be a threat to everyone else, as compromised XP installations will be recruited into botnets, taking commands from remote systems to perform such tasks as sending spam and participating in denial of service attacks.

How large of a threat will this be? That's the big unknown. Machines that visit the Web have a certain amount of visibility, so we know that they number in the hundreds of millions and are especially common in East Asia. A proportion of these machines has already been hacked. A proportion will be hacked in the future.

Our guess? It's unlikely there will be any serious high-visibility worm or other massive exploit. Instead, we'd expect to see all the Internet issues we see normally, but worse. More people getting phished, more spam, bigger DoS attacks.

Less-visible XP systems

To these "visible" machines one has to add an unknown number of machines that aren't used to browse the Web.

Windows XP is used, for example, in point of sale systems, numerous medical systems, and tens of thousands of ATMs. These machines may have less exposure to threats than machines used to surf the Web, but they are likely to have a lot more sensitive data on them. And while they may not be connected to the Internet directly, they may be reachable over local networks by machines that are accessing the Web or e-mail.

While this is unlikely to be an issue for untargeted wide-scale attacks, this level of access can be enough for targeted attacks aimed at the networks of specific organizations. With spear-phishing, for example, a malicious e-mail can be used to compromise a regular desktop, and this desktop can then be used by other systems, including insecure XP systems, on internal corporate networks. The opacity of these networks, however, makes the size of the threat impossible to determine.

In theory, many of these machines shouldn't be at risk. Windows XP Embedded, the special componentized version of Windows XP meant to be used for appliances such as ATMs and POS, is actually supported for almost two more years, with support ending on January 12, 2016.

In practice? We're going to find out. We'd like to hope that ATMs, for example, are all on private networks, with no ready access to unprotected machines, and we'd like to imagine that they're all using Windows XP Embedded, with effective patching regimes, but with members of the ATM industry expressing concern about the end of support for regular, non-embedded, Windows XP, we're not optimistic. This is an industry that should be telling the world, "We're fine until 2016." It isn't.

The same is true of all the Windows XP machines that are being used to control industrial machinery, security systems, and the like. They should be running Windows XP Embedded. They probably aren't.

What do we expect to see? The sad fact is that companies are already getting hacked, especially in targeted attacks, even with notionally up-to-date patched software, as the recent Target case demonstrates. We fully expect this to continue, though as before, we'd expect it to get worse, and we'd be surprised if there weren't at least one high profile case—a bank, a government, a hospital, say—of a company losing millions of pieces of sensitive information due to hacked XP machines.

In fact, the only reason we wouldn't expect a huge upswing in attacks, in spite of the huge increase in readily exploitable machines, is because Windows XP is already quite vulnerable to exploitation. Over the course of its 12-year life, it has suffered its fair share of zero-day flaws, and many users are far from judicious about installing security fixes when they become available. Exploiting Windows XP will be easier than it is now, but as a demographic, Windows XP users are already quite vulnerable. The XPocalypse won't create a problem: it's just going to make a bad situation even worse.

Also going end of extended support today is Exchange 2003, and by extension SBS 2003. Most of my clients were moved over a while ago, but there are still stragglers who rely on (and love) SBS and Exchange 2003.

The healthcare portion of XP machines is what frightens me the most. I just visited my grandmother in the hospital yesterday, and every single workstation I saw was running XP. This is not some 20 bed backwater clinic, this was a major hospital in the Baltimore metro area, part of a major hospital system of more than a dozen locations. Since I was also born at this hospital and visited there a few years ago, there are no doubt plenty of records somewhere with my personal information.

At the very least, we could be looking at data compromise and HIPAA violations, and all the goodness that comes with your every intimate detail and SSN being in the wrong hands. At very worst, we could be looking at compounders and pharmaceutical computers being compromised, messing with everything from patient medication schedules to actual creation of medication mixtures.

As I understand it malware developers reverse engineer the Windows Updates to figure out what changed as a hint to find unprotected real estate in unpatched systems. Continuing support for companies with contracts is just going to provide a roadmap to these developers moving forward as most XP users won't have a legitimate avenue for updates.

I wonder if one of the antivirus vendors will also reverse engineer these patches then deliver their own clean room implementation of them for a wider customer base.

If you're running XP on financial systems at this point you're acting irresponsibly with your customer's data and money; especially if that machine shares a network that has any internet exposure. It's akin to a bank knowing the vault is vulnerable to breach from a neighboring location and not reinforcing the adjoining wall.

For the love of all that is sacred, upgrade to 8... They've fixed most of the issues OR migrate to a supported platform like BSD, etc. If the hardware isn't Windows 8 compatible then try Elementary OS, or Mint Linux or PC-BSD, just do the world a favor and NOT become a launch platform for malicious software.

For malware writers, the race is now on to pwn as many XP boxes as possible before someone else does. I wouldn't even be surprised to see some kind of malware warfare emerge, as malware writers include code to clear the OS of competing malware on compromised machines so that they can have sole control.

Wouldn't it be wonderful to have a Linux distribution DVD that, while installing itself, automatically generates a a virtual machine image from the currently installed Windows XP system? This VM, as long as it is detached from the network, can then be safely run within the Linux environment. Is there something like this? It would be an ideal solution for many people who have hardware that is too old to run Windows 7, and a golden opportunity to get Linux on the desktop.

The healthcare portion of XP machines is what frightens me the most. I just visited my grandmother in the hospital yesterday, and every single workstation I saw was running XP. This is not some 20 bed backwater clinic, this was a major hospital in the Baltimore metro area, part of a major hospital system of more than a dozen locations. Since I was also born at this hospital and visited there a few years ago, there are no doubt plenty of records somewhere with my personal information.

At the very least, we could be looking at data compromise and HIPAA violations, and all the goodness that comes with your every intimated detail and SSN being in the wrong hands. At very worst, we could be looking at compounders and pharmaceutical computers being compromised, messing with everything from patient medication schedules to actual creation of medication mixtures.

The word on the street is that HIPAA is going to do what Microsoft could never do - get rid of XP. But it won't happen overnight. Your hospital in question is likely rolling out a Windows 7 based solution as we speak but you don't just 'update' the PC - you have to test and test and test and test. On top of that, the Feds have dropped Meaningless Abuse (err, Meaningful Use) requirements on everyone and the vendors are scrambling to slap this bizarre and idiosyncratic bits of EHR-dom on to their software packages.

This isn't an especially good time to be in healthcare IT (as if there ever was one....).

That's actually a good question. Assuming you're not talking about the virtual machine, and talking about the "run this program with compatibility" option. It's quite possible that some of the legacy compatible API framework is near identical to XP, but I don't imagine M$ is that short-sighted so as to allow those API's to remain un-patched. Most of them are probably just wrapper classes for newer libraries.

On that same note, if you still need XP for legacy apps. Now is the time to build and patch that last master Virtual Machine image, just make sure you yank the virtual network adapter before saving it down to your VM master library. Fortunately, VMCI will allow host-VM communications without a network adapter installed.

This is an excellent article. The conclusions are reasonable and the rationale is very clear. The biggest problem with this is the number of XP machines still on the internet. They just got a huge target painted on them.

If you're running XP on financial systems at this point you're acting irresponsibly with your customer's data and money; especially if that machine shares a network that has any internet exposure. It's akin to a bank knowing the vault is vulnerable to breach from a neighboring location and not reinforcing the adjoining wall.

For the love of all that is sacred, upgrade to 8... They've fixed most of the issues OR migrate to a supported platform like BSD, etc.

Sometimes the people who know what kind of potential issue this can be are not the ones with any control over large money decisions like moving off of XP..Sometimes it takes a massive breach and 'I told you so' before executives can hope to understand what their tech team has been telling them for years.

If you're running XP on financial systems at this point you're acting irresponsibly with your customer's data and money; especially if that machine shares a network that has any internet exposure. It's akin to a bank knowing the vault is vulnerable to breach from a neighboring location and not reinforcing the adjoining wall.

For the love of all that is sacred, upgrade to 8... They've fixed most of the issues OR migrate to a supported platform like BSD, etc.

Sometimes the people who know what kind of potential issue this can be are not the ones with any control over large money decisions like moving off of XP..Sometimes it takes a massive breach and 'I told you so' before executives can hope to understand what their tech team has been telling them for years.

We are three major versions of Windows past XP, anyone saying there has not been enough time to upgrade is just wrong. That being said, people getting pwned is probably going to go a long way to them getting off XP.

For malware writers, the race is now on to pwn as many XP boxes as possible before someone else does. I wouldn't even be surprised to see some kind of malware warfare emerge, as malware writers include code to clear the OS of competing malware on compromised machines so that they can have sole control.

This already happens, and has been for years. It was fairly common for exploits to patch other holes (which they don't use) so that they maintain control of a system.

Sometimes the people who know what kind of potential issue this can be are not the ones with any control over large money decisions like moving off of XP..Sometimes it takes a massive breach and 'I told you so' before executives can hope to understand what their tech team has been telling them for years.

I understand that completely... But then it is not you who is acting irresponsibly, it's the party who's made the decision not to act. We're not talking about pre-internet Commodore 64's here, we're talking about machines that often stay connected 24/7.

No one in my family is paying for an upgrade to 8/8.1. Those that have Windows 7 are staying put, but the XP folks are switching to Linux Mint. There have been some transition pains, but over all, it's going well.